[coreboot] DMA protection? [AMD-Vi]

Timothy Pearson tpearson at raptorengineering.com
Mon Nov 21 17:28:15 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/21/2016 10:16 AM, ron minnich wrote:
> 
> 
> On Mon, Nov 21, 2016 at 7:53 AM Timothy Pearson
> <tpearson at raptorengineering.com <mailto:tpearson at raptorengineering.com>>
> wrote:
> 
> 
> 
>     A quick check through the source seems to indicate that the generic
>     pci_set_resource function will enable bus mastering on any PCI bridges.
>      From that point on, if I'm not mistaken, any malicious device that
>     exposed a bridge interface could enable mastering for any logical
>     devices behind the bridge and attack the host.  Am I missing something?
> 
> 
> probably not. Back in the early days this kind of thing was not an issue. 

I hear you on this.  Now, with many peripherals running a complex
on-card operating system and on-card bridges being the norm, this has
become a significant security hole that we should work toward mitigating.

> We've always had to adjust for limits in the kernels we support. We have
> a PCI subsystem mainly because, in 2000, linux could not handle an
> unconfigured PCI bus -- it interpreted a "0 bar" as meaning "device
> disabled by BIOS" -- really!

Not surprised by this.  Unfortunately, from what we've seen, Linux
hasn't gotten much better at configuring bridges.

> I suspect the BME enable on bridges was done because Linux or other
> guests didn't know how to configure bridges correctly. But Linux and
> other kernels are a lot better now than they were; I wonder if we should
> stop enabling BME on bridges. 

It's worth a try.  I suspect Linux won't re-enable BM on bridges that
were otherwise configured, but I haven't looked over that part of the
code in a while either.

> In any event, however, if we make this change it should be done in small
> steps, and I think a good first small step is to start with things that
> *look* obvious, like the aforementioned NIC. I am going to submit a CL
> today to remove BME from that and see how much upset it causes :-)

Sounds good.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYMyCfAAoJEK+E3vEXDOFbTHAH/2Q2qp1wiDL3eVTrmuYk0IuR
bAYW3Ldl/lXwKBPVd4FRjuzhr0uUqkpCNln58qlE3xmktRkOoRJ07LqZj3Ex8KKi
XEdQ2YDT+hGbGd6aQPX5nK8dUCkIpBuZrPpd4S5GNLzmINRmoVh1KhilwkaeNWn2
5Qnp9IHq1jhrCRhUQl9/Q/1AphCcV15ebjCGOuRxpw0qenSJeefEzX/UZVbdXPjX
myshFFdzuGoMFVJcbI0PnzyoIcMyXJHVwaMch7a8IIbTCz6zT711K8teACRATyps
b4fic19O4KzyU9Zxegl6iEZn3+U2r+buQuhWOGElAEP3n9Gjy8GnJ4hNEOfAfus=
=YSkm
-----END PGP SIGNATURE-----



More information about the coreboot mailing list